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In the quantum version of a Trojan-horse attack, photons are injected into the optical modules of 
a quantum key distribution system in an attempt to read information direct from the encoding 
devices. To stop the Trojan photons, the use of passive optical components has been suggested. 
However, to date, there is no quantitative bound that specifies such components in relation to the 
security of the system. Here, we turn the Trojan-horse attack into an information leakage problem. 
This allows us quantify the system security and relate it to the specification of the optical elements. 

The analysis is supported by the experimental characterization, within the operation regime, of 
reflectivity and transmission of the optical components most relevant to security. 


I. INTRODUCTION 

Since ancient times, the Trojan-horse has been known as 
a stratagem for penetrating a securely protected space. 
It is therefore essential to consider Trojan-horse attacks 
in determining the boundaries of any supposedly secure 
space. This explains their ubiquitous presence in differ¬ 
ent fields where privacy is required, ranging from cryp¬ 
tography to computing and finance. In particular for a 
cryptographic application like quantum key distribution 
(QKD) [IHl], as well as for its most recent developments 
showing full or partial independency from the specific de¬ 
vices used [SHin], the existence of a protected area is a 
fundamental assumption. 

QKD allows two remote parties, usually called Alice 
(transmitter) and Bob (receiver), to share a common se¬ 
cret key with information theoretical security, over an in¬ 
secure quantum channel and an authenticated or broad¬ 
cast classical channel. QKD’s security derives from the 
laws of quantum physics and its implementation neces¬ 
sarily makes use of physical systems, whose correct be¬ 
havior has to be characterized and guaranteed against 
unwanted imperfections. Any ignored deviation from the 
expected behavior can be exploited by an attacker (Eve) 
to compromise the system security. In Fig.[^ the Trojan- 
horse attack (THA) against an optical QKD setup is 
sketched. Eve uses the optical channel connecting Alice 
and Bob to launch a bright light pulse containing Trojan 
photons into Alice’s supposedly secure module. The light 
pulse reaches the encoding device and is encoded with the 
same information ip as the photon normally prepared by 
Alice and then sent to Bob. The information (p is meant 
to be private. However, some of the Trojan photons are 
reflected back and deliver it to Eve, thus compromising 
the security of the system. 

This eavesdropping strategy was initially described 
in m and afterwards named “Trojan-horse attack” 
in [12]. Due to its apparent simplicity, the THA has 
been often considered easily tractable. However, to date, 
there is no quantitative analysis to mitigate it and there is 
an increasing number of experiments showing its severity 



FIG. 1. Representation of the Trojan-horse attack against an 
optical QKD setup. Eve sends a large amount of Trojan pho¬ 
tons (thick arrow) against Alice’s defensive structure. Some of 
the photons reach the encoding device, are encoded with the 
private information p and reflected back to Eve (thin arrow), 
who retrieves the information by measuring the photons. 


instead [lacE]. Eor example, it was shown in m that 
phase information can be extracted from a LiNbOs-based 
encoding device using optical-frequency-domain reflec- 
tometry. More recently, it has been demonstrated that 
phase values from an encoding device can be discrim¬ 
inated with 90% success probability using only 3 pho¬ 
tons [T3|. 

To counteract the THA, different solutions have been 
proposed. On the one hand, active countermeasures, sim¬ 
ilar to the ones used to ensure the security of the ‘plug- 
and-play’ QKD setup [TTHin]. Alice could be endowed 
with an active phase randomizer naEi] and a watchdog 
detector [niiiH] to remove the phase reference from Eve’s 
hands and bound the energy of the incoming light pulses. 
However, active components usually add extra complex¬ 
ity to the setup and may offer more options to the eaves¬ 
dropper M- Eor instance, it has been shown recently 
that a monitoring detector of a commercial QKD system 
can be bypassed easily US]. On the other hand, pas¬ 
sive countermeasures can be realized with much simpler 
elements, e.g. optical fiber loops, filters and isolators, 
which leave fewer degrees of freedom to the eavesdrop¬ 
per. Furthermore, they are often inexpensive, simple to 
implement and to characterize experimentally. However, 
in this case, powerful resources like the phase randomiza- 
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tion and the watchdog detector cannot be used to prove 
the security of the system. 

As a result, the security analysis of the THA remains 
elusive and no security-proof solution has been derived 
to date. The only provably secure countermeasures are 
for users endowed with a teleportation filter [ 22 ] or for 
the receiver in a system running the BB84 protocol [TJ 
m- In the former case, the solution is not practical and 
it entails considerable changes in the setup that could 
open additional loopholes. In the latter case, a delay 
line installed at the entrance of Bob’s module prevents 
Eve from reading the basis information before the qubit 
has entered Bob’s protected territory. However, the same 
measure is ineffective to protect the transmitting side of 
the QKD system, nor does it apply to other protocols 
such as the B92 [23| and the SARG04 [24]. Hence it 
cannot be considered a general solution against the THA. 

In this work, we analyze an entirely passive architec¬ 
ture to counteract the THA. We provide quantitative 
bounds that connect the values of the passive optical 
components to the security of the QKD system. The key 
element is interpreting the THA as a side channel. Nor¬ 
mally Alice is unaware of it and treats her preparation as 
ideal. This causes undetected leakage of information from 
her module to Eve’s territory. However, if Alice charac¬ 
terizes the relevant optical components in her apparatus, 
she can bound the information leakage and attain secu¬ 
rity through an adequate level of privacy amplification. 


II. THEORETICAL DESCRIPTION 

Let us consider the transmitter module [25] in the unidi¬ 
rectional, fiber-based, phase-modulated QKD setup de¬ 
picted in Eig. In the THA, Eve injects light into Alice’s 
apparatus through the same optical fiber that serves as 
a quantum channel between the users (thick arrow in the 
figure). The goal is to reach the phase modulator that en¬ 
codes the private information ip a- A concrete possibility 
for Eve is to use a laser emitting pulses with average pho¬ 
ton number /iin, prepared in a coherent state [IS]- 

The pulses acquire the phase modulation information ^a 
and return to Eve as (thin arrow in Eig. 

where /iout = being 7 <C 1 the optical isolation of 

the transmitting unit. The light pulse retrieved by Eve 
is correlated to the phase (pA and this compromises the 
security of the system. 

To prevent the THA, Eve’s action has to be bounded 
by a physical mechanism. In particular, it is clear that 
if the intensity /iin is unbounded, no solution can exist 
against the THA. On the contrary, when /iin is bounded, 
Alice can adjust the value of the optical isolation 7 so to 
make /iout? and therefore Eve’s information, arbitrarily 
small. In this work, we consider the Laser Induced Dam¬ 
age Threshold (LIDT) as the main physical mechanism 
limiting Eve’s action. The LIDT provides an estimate of 
the energy, thence of the number of photons, that Eve 
can inject into Alice’s module in a characteristic time in¬ 



FIG. 2. Schematics of the transmitting unit of a unidirectional 
fiber-based QKD setup and Eve’s THA. LS is a generic light 
source. The square with pA is the encoding device. It writes 
the phase information pA on photons traveling in the short 
arm of the interferometer. Eve injects a bright light pulse in 
the coherent state into Alice’s module. A fraction of 

it is encoded by Alice and back-reflected to Eve, emerging as 
je^^^^^/iout), i-c., attenuated by a factor 7 (//out = 7/^in) but 
containing the phase information pA (dashed line). 


terval without damaging it. Details about the LIDT are 
given in Section HI. Eor the moment we call N the max¬ 
imum number of photons that Eve is allowed to inject 
in the transmitter module in the time unit (1 second) 
without violating the LIDT condition. This parameter 
will be used to provide a security argument against the 
THA. 


A. Preliminary quantities 

In a THA, Eve firstly prepares M groups of photons and 
then use each group to probe a different value of Alice’s 
phase modulator (PM). To fix ideas, we can imagine that 
each group of photons physically corresponds to one pulse 
of Eve’s light source and that each pulse is prepared in 
a pure coherent state m- The resulting structure is a 
tensor product of coherent states: 

IV/ZT) ® Iv^) ® ••• ® IV^)- (1) 

In Eq. 0 , Pi {i = 1 ,..., M) is the mean photon number 
of the i-th coherent state. In order to not overcome the 
LIDT threshold Eve has to guarantee the following 
condition: 

M 

'P lXi= MfXj-n < N, (2) 

where we have introduced the overall mean photon num¬ 
ber of Eve’s light //in- In general, it is possible for Eve to 
vary each pi to enhance her strategy. However, it turns 
out that this brings no advantage to her, as we shall show 
later on. The convexity of the key rate as a function of 
Pi makes it always better for Eve to set pi equal to a 
constant value. Therefore we have: 

pi — Pin' 


(3) 
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It can be noted that Eq. (§ rules out a whole class of 
attacking strategies by Eve, where she redistributes her 
initial Trojan photons in a fewer number of pulses. Intu¬ 
itively, this could increase Eve’s information on a subset 
of Alice’s states, but can never increase her total infor¬ 
mation about the whole key. It is beneficial to Eve to 
distribute her photons evenly among the available pulses, 
so to maximise her total information. We will reach the 
same conclusion in Sec. III.A, but from a physical point 
of view. There, an even distribution of the Trojan pho¬ 
tons will allow Eve to keep the LIDT of an optical com¬ 
ponent close to its minimum value. 

Each of Eve’s Trojan pulses is sent in the transmitting 
unit to probe a different phase value (^a of Alice’s PM. 
After that, the pulses are retrieved by Eve and their mean 
photon number amounts to /Tout = 7 /^in- Let us call Ja 
the total number of phase values encoded by Alice’s PM 
in 1 second. This is equal to the PM clock rate, expressed 
in Hz. Because Alice knows /a, the maximum number 
of Trojan photons per second N and the optical isolation 
7 , she can bound the mean photon number of the Trojan 
pulses emerging from her module. We call /iout the upper 
bound. It amounts to: 

A^out = ^. (4) 

/iout is a crucial parameter in the security argument be¬ 
cause it is directly controllable by Alice. It can be inter¬ 
preted as the mean photon number of the Trojan pulses 
retrieved by Eve. 

In the next section, we proceed from these preliminary 
observations to derive the secure key rate of the BB84 
protocol, assuming that Alice is endowed with an ideal 
single-photon source. Then, in Section II.C, we extend 
the security argument to the BB84 protocol implemented 
with a laser source and decoy states. 


B. Key rate of single-photon BB84 protocol 

Let us suppose that Alice prepares ideal single-photon 
BB84 states and that the only source of information leak¬ 
age from Alice’s system to Eve is from the THA on the 
PM. Eve shall execute the THA using coherent states of 
constant intensity as per Eqs. 0 and 0 . We assume 
the worst-case scenario where Eve can retrieve her states 
back from the quantum channel with 100 % fidelity, even 
though, in practice, this may be not fully permitted by 
the laws of physics. In this description, the THA can 
be executed without adding any noise to the communi¬ 
cation channel. Despite this, secure keys can still be ex¬ 
tracted if the QKD system is well characterized. This is 
quite counter-intuitive as it challenges the common view 
of QKD as an eavesdropping deteetion system, while pro¬ 
moting it as an eavesdropping prevention system [28] . 

The characterization of the QKD system proceeds as 
follows. With reference to Alice’s interferometer (see 


Eig. 2), we define the states in the computational ba- 
sis Z as |0z) = |l)i|0)s, \lz) = |0);|l)s, where \n)i {\n)s) 
is the n—photon state traveling in the long (short) arm 
of the interferometer. Then we write the four BB84 pro¬ 
tocol states as |0x), |lx) and |0v), |lv) for the X and 
Y bases, respectively, corresponding to setting the phase 
(fA equal to { 0 , 7 r} and { 7 r/ 2 , 37 r/ 2 }, respectively, in the 
qubit state (| 0 z) + |lz))/v^. 

Eve’s task is to determine ^pA using the light back- 
reflected from Alice’s apparatus. However, the states 
prepared by Alice and sent to Bob (below labeled with 
“B”) are single photons and do not give any phase refer¬ 
ence to Eve. Also, the states sent and retrieved by Eve 
(below labeled with “E”) originate from an external inde¬ 
pendent source. Therefore the resulting states emerging 
from Alice’s module can be written as tensor products: 

\i^0x)BE = \^x)b ^ I + VMout)^;, 

\'^ix)be = |lx)s (8) I - V/iout)^;, 

\'ipOY)BE = |lv)s (8) I + i^/l^out)E, 

\i^lY)BE = |0v)b I — (5) 

The above states justify an alternative interpretation of 
/iout 5 be., an excess mean photon number exiting Alice’s 
module. If /iout = 0, only true single-photon states leave 
the transmitting unit, whereas if /iout > 0 , a hidden side- 
channel, created by the THA, provides Eve with addi¬ 
tional information via the excess photons contained in 
the states of Eq. 0 . 

It is natural to ask how Eve can use the information 
obtained in the THA. One possibility is for her to wait 
until the basis reconciliation step of QKD, in order to 
measure the back-reflected Trojan photons in the correct 
basis and learn the bit encoded by Alice. In this case. Eve 
simply prepares and retrieves the Trojan photons and 
causes no disturbance on the quantum channel. How¬ 
ever, she only gains the information carried by the Tro¬ 
jan photons and makes no use of the photons prepared by 
Alice. A more powerful strategy is to use the Trojan pho¬ 
tons during the quantum transmission, without waiting 
for the basis reconciliation step. Eve could first mea¬ 
sure the Trojan photons and then decide whether to stop 
or transmit Alice’s qubits conditional on the result from 
her measurement. Einally, Eve could glean information 
about the basis chosen by Alice and use it to measure Al¬ 
ice’s qubits, thus making optimal use of all the sources of 
information available to her. This is a convenient frame¬ 
work, as it allows to prove the security of QKD against 
the most general attack by Eve [29ll3T| . We analyze all 
the above attacking strategies, from the weakest one to 
the most general. The first and second THA are ana¬ 
lyzed in Appendices C.l and C. 2 , respectively, while the 
third, most general, THA is outlined here and detailed 
in Appendix B. 

To bound the security in the general case, we resort 
to the so-called “GLLP approach” [29]. More precisely, 
we use the refinement of GLLP based on the qubit dis¬ 
tillation protocol by Koashi m- In Appendix B, we 






4 


apply this approach to the states in Eq. and derive 
the secure key rate of the efficient BB84 protocol [32l |33] . 
There, it is shown that if the key is distilled from the X 
basis and the phase error rate is estimated in the Y basis, 
the asymptotic key rate of a QKD system endowed with 
a single-photon source is: 


R = Qx[l - - fEch{ex)]- (6) 

In Eq. Qx is the single-photon detection rate in the 
X basis, i.e., the joint probability that a single-photon 
pulse is emitted by Alice and detected by Bob and both 
users measure in the X basis; h is the binary entropy 
function, Jec is the error correction efficiency [34] and 
ex is the (single-photon) quantum bit error rate (QBER) 
measured in the X basis. The term e'y is the (single¬ 
photon) error rate estimated in a virtual protocol where 
the users measure in the Y basis and Alice announces the 
X basis [30]. It is given by the following equations: 

= ey + 4A'(1 - A')(l - 2ey) + 

+4(1 - 2A')yA'(l-AOey(l-ey) , 



A — ^[1 l^out) COs{^out)] 1 

where we conservatively defined y := min[3^x, with 
Yx and Yy the single-photon yields in the X and Y 
basis, respectively, i.e., the conditional probabilities that 
a single photon state emitted by Alice causes a click in 
Bob’s detector, when the users measure in the same basis, 
X oi Y. The presence of /iout in the last line of Eq. 0 
shows how the THA affects the key rate in Eq. 

The key rate R has been plotted in Eig. 3 as a function 
of the distance between the users, for different values of 
the output mean photon number //out, using parameters 
close to existing real systems [35]. Erom the figure, it can 
be seen that the key rate corresponding to /iout = 10“^ is 
indistinguishable from /iout = 0 (no THA) over distances 
up to 100 km, i.e., about 60% of the maximum distance 
(170 km in Eig. 3). Eor /iout = 10“^, the key rates in 
presence and absence of a THA overlap over nearly the 
whole range. In this case, a negligible amount of addi¬ 
tional privacy amplification is required to guarantee secu¬ 
rity against the THA. The key rate remains positive also 
for /iout = 10“^, but the maximum distance is limited to 
9 km in this case and the key rate is severely affected by 
the THA. The largest value of /iout showing a positive 
key rate is 0.015. 

It is worth remarking that the entire effect of the THA 
is condensed in the parameter /iout ^ ns it is apparent from 
Eq. 0. Therefore, the obtained key rate is equally ap¬ 
plicable to any QKD setup capable of guaranteeing an 
upper bound to the mean number of Trojan photons re¬ 
flected by the transmitter back to Eve. 


Distance (km) 

0 25 50 75 100 125 150 175 



FIG. 3. Asymptotic key rate R versus distance for the single¬ 
photon efficient BB84 protocol under a THA. The rate is plot¬ 
ted for different values of the output mean photon number 
/iout- Other parameters in the simulation are: fiber loss co¬ 
efficient 0.2 dB/km, total detection efficiency 12.5%, optical 
error rate 1%, dark count probability per gate 10“^, error 
correction inefficiency 20% above the Shannon limit. 


C. Key rate of decoy-state BB84 protocol 


The key rate in Eq. 0 has been derived assuming that a 
single-photon source is available to Alice. However, it is 
well-known that security can still be guaranteed without 
a single-photon source if a phase-randomized attenuated 
laser [36] is combined with the decoy-state technique [371 
[38]. Actually such a solution is currently more efficient 
than a single photon source due to the limited generation 
rates of existing single photon sources [39l [40] . 

To extend the result to a decoy-state source, we as¬ 
sume that the decoy-state execution is not affected by 
the THA. This is equivalent to saying that Eve’s only 
target in the THA considered here is Alice’s PM and the 
devices used by Alice to implement the decoy-state tech¬ 
nique are not touched by the THA (see Assumption 3 in 
Appendix A and accompanying discussion). Under this 
assumption, the decoy-state key rate is a straightforward 
generalization of Eq. (21) along the lines described, e.g.. 


in [38]. Indicating with a tilde the quantities to be esti¬ 
mated via the decoy-state technique and with s the mean 
photon number of the signal pulse in the decoy set of 
states, we obtain: 


R = Qx^ 


o'(l) 


I Qx^ fEch[ey^], (8) 


where; 


g'(i) 


er +4A'(1 - A')(l - 2ey) + 


+ 4(1 - 2A')V A'(l - A')ey(l - ey), 


A' = l 

r 
1(1) 


(9) 


In Eq. 0, is the decoy-state estimation of the single¬ 
photon detection rate Qx in Eq. 0, while is the de- 
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FIG. 4. Asymptotic key rate R versus distance for the decoy- 
state efficient BB84 protocol under a THA, for various values 
of the output mean photon number flout- Experimental pa¬ 
rameters in the simulation are as in Figs. The average 
photon number of the signal states in the decoy-state tech¬ 
nique is s = 0.5. 


A^in = (/^i + M2)/2. Then, for each of the key rates given 
in this work, represented by a generic symbol 7^, we have 
numerically verified that: 


'R-ifJ'm) < 


^(Mi) + ^(^2) 


( 10 ) 


For that, we have used the explicit expressions of the 
key rates and their dependance on /iout? which is re¬ 
lated to the input photon number by the linear equa¬ 
tion /Tout = 7/^in- In other terms, the key rates are con¬ 
vex functions of flout and thence of /iin- According to 
Eq. ( pr] ), the rate distilled by the users under Eve’s new 
strategy (R.H.S.) is larger than the one pertaining to the 
old strategy (L.H.S.), so the new strategy is less effective 
and not advantageous to Eve. More general strategies 
by Eve that account for more than two classes of pho¬ 
tons with different mean photon numbers can be treated 


as a trivial extension of Eq. (10) 


III. BOUNDS ON INPUT PHOTONS 


tection rate of the signal pulse measured in the X basis. 
In Eq. (§, we conservatively defined y = min[3^x, 37y], 
with yx and yy the single-photon yields in the X and 
Y basis, respectively, estimated via the decoy state tech¬ 
nique. 


The key rate R is plotted in Fig. Although rate 
and maximum distance are smaller than in the single¬ 
photon case (Fig. [^, as expected, it is remarkable that 
the key rate corresponding to a value /iout = 10 ^ 


-7 


re¬ 


mains indistinguishable from the ideal rate (/iout = 0) 
over nearly the whole distance range. A 10 times larger 
value, flout = 10“^, which is easier to achieve in practice, 
generates a key rate that closely follows the ideal one up 
to 100 km, i.e., 70% of the maximum distance achievable 
(146 km in Fig. [^, and remains positive up to 140 km, 
i.e., 96% of the maximum distance. This motivates our 
choice of flout = 10“^ for the case study in Sec. W A. Fi¬ 
nally, it is worth noting that the key rate remains positive 
even for larger values of flouts up to 0.012. 

Before concluding this section, a couple of remarks are 
in order. First, it has been convincingly proven that the 
key rate achieved with only three decoy states is very 
close to that obtained with an infinite amount of decoy 
states mi- We have run simulations that confirm this 
result. Therefore the key rate in Fig. is achievable in 
a real system. Second, the rate equations provided so 
far have been derived using coherent states of constant 
intensity. Here we show that this setting is actually ad¬ 
vantageous to Eve. Suppose that Eq. does not hold, 
i.e., fii % /iin- With this setting. Eve is trying to dis¬ 
tribute her N Trojan photons unevenly among the M 
pulses, in an attempt to enhance her information gain. 
Suppose that Eve distributes the N photons in only two 
classes of pulses, such that the first (second) class fea¬ 
tures an average photon number fii {fi 2 ) and fii < fi 2 1 


In our security argument, the quantity N plays an im¬ 
portant role. Here we provide more details about this 
limiting threshold and describe a way to quantify it. For 
that, we adopt a pragmatic approach, motivated by the 
results of the previous sections. In particular, we have 
established that Eve conducts the THA using coherent 
states of constant intensity. Therefore we can conve¬ 
niently think that such states are generated by a single¬ 
mode laser operated well above threshold [42] . This view 
naturally leads to considering the laser-induced damage 
threshold, LIDT. From a security perspective, the LIDT 
can only provide a general indication of the bounds to be 
used in a security analysis. The actual response to ther¬ 
mal damage of the real components of a QKD system 
should be experimentally measured. 


A. Laser-induced damage threshold 

A single-mode optical fiber is arguably the most com¬ 
mon component of a fiber-based QKD setup. It is used 
mainly to transmit information in the third telecom win¬ 
dow (wavelength A = 1.55 fim) because of its small atten¬ 
uation coefficient. Its typical core diameter is 8 — 10 /im, 
corresponding to a core area of 50 — 80 fim^. If the laser 
power used by Eve is sufficiently high, it creates an ac¬ 
cumulation of energy in this small region of the core and 
increases the temperature of the medium beyond the tol¬ 
erance level, inducing fiber thermal damage [4311^ . 

Such a damage threshold is usually quantified by the 
LIDT, laser-induced damage threshold, defined in the 
2011 international standard ISO 21254-1 as [45|: ^Hhe 
highest quantity of laser radiation ineident upon the op- 
tieal eomponent for whieh the extrapolated probability of 
damage is zero, where the quantity of laser radiation may 
be expressed in energy density, power density or linear 
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power density^^ [46]. The smaller the LIDT of the com¬ 
ponent, the larger the probability to damage it. This 
subject is well-studied and values for the LIDT of a silica- 
based optical fiber, which is the component we are inter¬ 
ested in, can be obtained. However, before discussing 
the absolute values, it is worth examining the qualitative 
behavior of the LIDT, which is determined by the un¬ 
derlying thermal damaging mechanism. The purpose is 
to investigate how features of Eve’s laser like the repeti¬ 
tion rate or the pulse width can affect the LIDT and, by 
consequence, the system security. This provides useful 
indications for setting a proper LIDT value. 

One prominent feature of the LIDT is that it increases 
with the pulse width of the incident laser, i.e., a wide 
light pulse causes less damage to the optical component 
than a narrow one. This makes narrow pulses more de¬ 
tectable to Alice and Bob than wide ones. This can be 
formalized using the well-known square root dependence 
of the LIDT on the pulse width jT7ll5Q] : 


LIDT(ri) _ /n 
LIDT(r 2 ) V^ 2 ’ 


( 11 ) 


Here ri and r 2 are two different pulse widths for the same 
pulse energy. Eq. (11) suggests that Eve’s laser pulse 


should be the widest possible, compatible with Alice’s 
phase modulator. 

A similar rule applies to the laser wavelength, resulting 
in the shorter wavelength to be causing more damage to 
the optical component than the longer one (see e.g. my- 


LIDT(Ai) 

LIDT(A2) 


( 12 ) 


Eq. ^2) suggests that Eve’s optimal laser’s wavelength 
should be as large as possible, even larger, if necessary, 
than the typical wavelength used in the QKD setup. 
However, it also entails that the LIDT remains rea¬ 
sonably constant for all the wavelengths possibly trans¬ 
mitted in the fiber. A standard optical fiber cannot 
transmit by total internal reflection beyond the so-called 
“bend-edge” wavelength, which is only a few hundred of 
nanometers away from the fiber cutoff wavelength (see, 
e.g., [52]). As an example, we can consider a bend-edge 
wavelength of 1850 nm for an optical fiber transmitting 
at 1550 nm [Slllsl]. According to Eq. (H^, this would 
increase the LIDT by less than 10%, showing that the 
wavelength of Eve’s laser is not crucial in determining 
the efficacy of the THA. To compensate for this effect in 
the theory, it suffices to increase the LIDT value by 10%. 

To upper bound the input photon number N used in 
the security argument, we need to estimate the LIDT 
of Alice’s optical module. This is arguably given by the 
LIDT of the most fragile component in the module. How¬ 
ever, we will consider the LIDT of just one of the com¬ 
ponents in Alice’s unit, the one most exposed to Eve’s 
light. The other components are assumed to either work 
in their normal operation regime or fail in a way that is 
detectable by the users (see Assumption 1 in Appendix A 


and accompanying discussion). In Section IV, we de¬ 
scribe the architecture of Alice’s setup against the THA. 
The component most exposed to Eve’s light is a loop of 
standard optical fiber placed at the main entrance of the 
transmitting box. Hence we are interested in the LIDT 
of a standard single mode optical fiber. One possible way 
to estimate it, is to consider the geometry of the fiber and 
the material it is made of. As said, a typical fiber has a 
core area of about 50 and is made of fused silica. The 
LIDT of fused silica is determined by the softening point 
of the material m and amounts to 1.1 x 10^ J/cm^ [55] . 
Eor a longer time, the silica-based medium starts dissi¬ 
pating heat and the threshold increases linearly with the 
pulse width. Eor a shorter time, the square root law in 
Eq. (11) applies, decreasing the LIDT accordingly. 

The above-cited LIDT value corresponds to an aver¬ 
age power of 5.5 x 10^ W over 50 /im^. Eor a typical 
wavelength of A = 1.55 /im this means that 4.3 x 10^^ 
photons impinge every second onto the fiber core area. 
Before such a large number of photons can damage the 
fiber core, other highly detectable damages are likely to 
occur at the fiber interfaces, causing, e.g., a net reduc¬ 
tion of the transmission, or an increase in the noise figure. 
Also, the LIDT value mentioned above relates to a homo¬ 
geneous medium. In reality, large temperature gradients 
can occur in the proximity of a defect, or at the connec¬ 
tion between two segments of fiber, or at the interface 
between the fiber core and the cladding. Some of these 
properties can even be artificially enhanced by acting on 
the number of connectors, the bending radius and the 
doping levels of the fiber. These considerations lead to 
the conclusion that the given LIDT value is an overly con¬ 
servative estimation of the real LIDT of an optical fiber. 
In the next section, we obtain a different LIDT value by 
combining the findings of Section H with the results from 
experiments performed on real optical fibers. 


B. Fiber thermal fuse-induced LIDT 

In Section H, we have shown from an information theory 
point of view that Eve’s optimal strategy is to distribute 
her photons into a number of pulses M that is equal to 
Alice’s PM clock rate (in Hz) /^, so to maximize her 
total information gain. In the description of Eve’s laser, 
the above strategy translates into setting /£; = /a , where 
/e is Eve’s laser repetition rate. Moreover, in the previ¬ 
ous section, we have shown that the LIDT depends only 
weakly on the laser pulse width and that the larger the 
width, the larger the damaging threshold. In the descrip¬ 
tion of Eve’s laser, this translates into having a laser pulse 
width, te, as large as possible, compatibly with Alice’s 
PM. Let us call ta the time window of Alice’s PM. If 
'Te > a fraction of Eve’s photons falls outside the PM 
gate and deliver no information to Eve. Therefore, the 
optimality condition for Eve is te = r a- This condition 
on the pulse width represents an additional constraint for 
Eve and an extra parameter under Alice’s control. After 
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7 and /a, Alice can now act on ta to make Eve’s strategy 
less effective. In particular, by reducing Alice reduces 
the damaging threshold of her module, thence N. 

Let us draw a worst-case scenario from the above con¬ 
siderations. We conservatively assume that Alice’s PM 
is driven by a perfectly rectangle wave. This helps Eve 
matching the condition te = ta and simultaneously 
keeping the damaging threshold high. As a consequence, 
the amplitude of Alice’s PM is assumed to be flat in time. 
The amplitude is selected at random among the four 
equally spaced values of the BB84 protocol. The way 
these values are selected depends on the logic driving the 
PM. If a non-return-to-zero (NRZ) logic is used, the PM 
duty cycle is 100%, i.e., the PM is always active, transit¬ 
ing from a given phase value directly to the next one and 
we have in this case = 1 //a- If a return-to-zero (RZ) 
logic is used, the modulator is reset after each encoded 
phase value. In this case the duty cycle is less than 100% 
and the PM time duration is ta < fA- We note that 
in the particular case Alice’s PM is driven according to a 
NRZ logic (100% duty cycle). Eve’s laser coincides with 
a continuous-wave (CW) laser, as it emits a seamless se¬ 
quence of rectangle pulses, all of the same amplitude, 
sitting one next to each other. A deeper thought reveals 
that this is actually a worst-case scenario, because when 
the condition te = ta is matched, te takes on its max¬ 
imum value (1//^), thus minimizing the risk of optical 
damage, while leaving Eve’s information unchanged. Be¬ 
cause of that, we can always imagine that Alice’s PM is 
driven by a NRZ logic, even if it is RZ and, accordingly, 
that Eve uses a CW laser to probe the PM. 

Experiments performed with CW lasers on real op¬ 
tical fibers have demonstrated that an average power 
around 2-5 W cause a catastrophic thermal damage in 
a standard single-mode silica fiber [561158] . This effect 
is known as “self-propelled self-focusing” or “fiber ther¬ 
mal fuse” [56l |57l [59ll62l [64l 165] . The high power of 
the laser generates a heating point in the fiber where 
the local temperature overcomes the melting point of the 
medium. Erom there, the damage propagates along the 
fiber, eventually making it unusable. This effect has also 
been exploited to build an “optical fuse” that breaks 
by 1.2-5.3 W of incident light at wavelengths around 
1500 nm [62]. Eor a wavelength of A = 1550 nm, 2 W 
correspond to 1.6 x 10^^ photons crossing every second 
a 50 /im^-fiber core area (aso). In order to have an easy 
reference for the LIDT value, we set it equal to = 10^^ 
photons/s/aso- The new LIDT value is 4.3 x 10^ smaller 
than the previous one. Still, it corresponds to 12.8 W 
from a CW laser, which is much larger than the power 
threshold reported in the fiber thermal fuse experiments. 
We will adopt this number to draw an example where 
the values of the optical components in Alice’s appara¬ 
tus are connected to the security requirements. However 
the more conservative threshold for N could be adopted 
instead to arrange a different use case for an application 
that requires a stronger bound, independent of the fabri¬ 
cation details of the fiber and relying only the softening 



FIG. 5. Architecture of a QKD transmitter to mitigate the 
THA. OFL: optical fiber loop determining the LIDT; F: op¬ 
tical filter; I: optical isolator; A: attenuator; R: total reflec¬ 
tion from all components to the left of the dot-dashed line. 


point of silica. 


IV. EXPERIMENTAL CHARACTERIZATION 

A. Passive architecture against the THA 

An entirely passive architecture against the THA is 
drawn schematically in Eig. [^ It is based on a sequence 
of components that actualize the security argument de¬ 
scribed so far. A silica-based optical fiber loop (OEL) of 
length L defines the LIDT of the transmitter and is fol¬ 
lowed by a filtering block F, an optical isolator / and an 
attenuator A. We also indicate with R the total reflectiv¬ 
ity of the optical elements to the left of the dot-dashed 
line (not to be confused with the key rate R given in 
Eq. ^ and plotted in Eig. [^. The line for the reflec¬ 
tivity R is conservatively drawn to include also the first 
beam splitter as seen by Eve to allow an easier experi¬ 
mental implementation (Section IV.B). In the figure, all 
the components are presumed to either work as expected 
or fail in a way that is detectable by the users. 

The OEL acts as a regulator for high-power input light 
and as a filter for wavelengths longer than the bend-edge 
point. Together with the optical filter F, which is tuned 
to let pass the wavelength of the quantum channel and 
stop all the others, it limits the maximum number N of 
photons that Eve can inject into Alice’s module in the 
chosen time unit. In other terms, it represents the opti¬ 
cal component to which the LIDT should apply. To fix 
the ideas, we can imagine a length for the OEL greater 
than 1 m, in line with what was reported in the experi¬ 
ments about the fiber thermal fuse effect. A longer OEL 
can only be beneficial to the users, as it increases the 
probability of thermal damage, which increases as well if 
a few interfaces are present in the OEL. 

The optical isolator strongly attenuates the input light 
from Eve, enforcing the unidirectionality condition in the 
module. A typical dual-stage optical isolator features an 
isolation value of 10“^ or smaller. It is convenient to 
measure the isolation in decibel, or dB, rather than in 
absolute value. If x is the absolute value of the opti¬ 
cal isolation of a given component, we use the following 




















notation 


i: = 10 log;L 0 ^ 


(13) 


to indicate its value in decibel. So for example, the op¬ 
tical isolator mentioned above would feature an isolation 
of -50 dB. 

The attenuator box in Fig. is already present in the 
schematics of various QKD systems using an attenuated 
laser as light source, while it is not present in systems 
using a single-photon source, as it would entail major 
losses in the system. If used, it helps to avert the THA, 
as it contributes to the optical isolation of Alice’s module, 
7 . The following equation quantifies the contributions of 
each single conceptual block in Fig. to 7 : 

-f = F‘^ X r X X R. (14) 


Eq. (14) can be conveniently rewritten in dB: 


7 = 2F + n/ + 2i + i?. (15) 


In Eqs. (14), (15), the typical double-pass of a THA 
through Alice’s components has been considered. This 
leads to explicit corrections for the filter and the at¬ 
tenuator terms. Eor the isolator term there is no such 
correction, because one direction of the double-pass fea¬ 
tures zero attenuation. However, there is a factor n that 
represents the number of optical isolators present in the 
system. 

To relate the isolation 7 to the system security, we 
need to connect it to the parameter /iout via Eq. Eor 
that, we introduce the dimensionless ratio y := N//a 
and rewrite Eq. @ in dB notation: 


Aout = X + 7 • 


(16) 


To give an example of how Eqs. (15) and (16) can be 
used to meet the security criterion, let us start from set¬ 
ting a target value for the excess average photon num¬ 
ber /iout- We have seen from Eigs. and that a value 
/^out = 10“^ (i.e. /iout = ~b0 dB) can guarantee security 
against the THA with only a negligible (limited) amount 
of additional privacy amplification over short-range and 
middle-range (long-range) QKD transmissions. There¬ 
fore we choose this value as the target. We consider the 
threshold value N = 10^^ photons/s/aso discussed in Sec¬ 
tion HI.B and a system clock rate Ja = 10^ Hz. This 
gives X = 10^^ (x = 110 dB). Erom Eq. (16), we then 
get: 7 = /iout — X = (—60 — 110) dB = —170 dB. This 
is the total optical isolation required in Alice’s module 
in order to guarantee security. Alice can try and match 
this value using well-characterized components and then 
applying Eq. (15). 

Table 1^ contains some possible combinations of /a, 77, 
A and / to match the target value /iout = ~b0 dB. Eor 
convenience, we report the absolute values of the compo¬ 
nents. In the table, we set F = 0, for the filter insertion 
loss is typically close to zero at its central wavelength. 


Glock rate 

/a (Hz) 

l7l 

\R\ 

1^1 

|/|(n) 

IGHz 

I(F 

170 

40 

35 

60(1) 

IGHz* 

lo® 

170 

50 

0 

60(2) 

IMHz 

lo® 

200 

40 

30 

50(2) 

IMHz* 

lo® 

200 

50 

0 

50(3) 

IkHz 

IcP 

230 

40 

35 

60(2) 

IkHz* 

lo^ 

230 

50 

0 

60(3) 


TABLE I. Practical combinations of system components to 
meet the target /iout = 10when N = 10^° photons/s/aso 
and F = 0 dB. All dotted quantities are in decibel and are 
given in absolute value. Lines with the asterisk are cases in 
which attenuation cannot be used, e.g., when the transmitter 
uses a single-photon source or at the receiver side. The feasi¬ 
bility of the values for 1 GHz clock rate has been confirmed 
experimentally using the QKD setup described in [66] . 


and we assume that the filter is centered at the opera¬ 
tional wavelength of the QKD setup. In the first column, 
we have considered three interesting and feasible regimes, 
1 kHz, 1 MHz and 1 GHz. The lines with the asterisk are 
for situations where attenuation cannot be used, e.g., if 
the transmitter uses a single-photon source or at the re¬ 
ceiver side. It is worth noting that single-photon sources 
up to the MHz range are currently available (see, e.g., 
[39[|40]). In all cases, we have reported what we believe 
the most practical combination of components could be. 
Eor the optical reflectivity R, we have considered a typi¬ 
cal absolute value of 40 dB, which comes from a common 
fiber connector. However, an absolute value of 50 dB 
is possible if angled connectors or splicing are used for 
the fiber-integrated optics in the module. This latter op¬ 
tion is worth considering especially for the lines with the 
asterisk in Table [I| Eor the optical isolator, its absolute 
value is set in the factory and cannot be varied by the 
users. We set it equal either to 50 dB or to 60 dB in Table 
I, according to the most convenient configuration. The 
former value is common in dual-stage optical isolators. 
The latter value is less common, but it can be obtained 
by properly sampling a set of isolators and selecting the 
best one (see Sec. IV.B). Einally, for the attenuator, we 
avoided using absolute values larger than 35 dB, as that 
would commit the transmitter to unusually high-power 
lasers. 


Erom Table [Tj it can be seen that two or more optical 
isolators might be necessary to meet the security target 
Mout = 10“^. However, if the clock rate is high enough, 
a single isolator is sufficient (first line of the table). In 
any case, given the low cost and the low insertion loss 
of filters, attenuators and optical isolators, all the op¬ 
tions in Table I can be considered feasible and relatively 
inexpensive. 
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FIG. 6. Top - Schematics of the QKD transmitter module 
and of the Z/-OTDR setup used for characterizing its reflec¬ 
tivity. Bottom - Reflection peaks of the transmitting unit. 
The distance is measured from the connector J1 placed at the 
entrance of the module. The traces are acquired for two or¬ 
thogonal polarizations, aligned to maximize the transmission 
through the short (blue traces) and long (red traces) arm of 
the interferometer. The peaks of the reflectivity are added 
to obtain a worst-case estimation (black). Only the peaks 
from the components included in the shade region of the top 
diagram have to be considered in the estimation of R. 


B. Components characterization 

To prove the attainability of the values reported in the 
first line of Table [T| we have experimentally characterized 
reflectivity and transmission of the components most rel¬ 
evant to security in the transmitting unit of a unidirec¬ 
tional GHz-clocked QKD system [66], within their oper¬ 
ational range. A full-range characterization of the real 
components in the setup is necessary to guarantee their 
behavior against unwanted deviations, as required by the 
security argument (see Assumption 1 in Appendix A). 

As a first step, we have used single-photon optical 
time-domain refiectometry (z/-OTDR, [67]) to quantify 
the reflectivity R of Alice’s apparatus. The measurement 
setup and the resulting traces are shown in Fig.[^ on the 
top and bottom diagrams, respectively. In the z^-OTDR 
setup, a 1-MHz pulsed laser at 1550 nm is connected to 
Alice via a circulator. Polarization controllers are used 
to align the pulses to the long or short path of Alice’s 
interferometer, so to obtain the output patterns of the 
orthogonal polarizations. These are shown as blue and 
red traces in Fig. [^ The two patterns have been added 
together to upper bound the total reflectivity and this 
is indicated by the black trace in the figure. The upper 
bound to R is obtained assuming the linearity of the re¬ 
flectivity, as follows: R{a\s) -\-b\l)) = ai?(|s)) -\-bR{\l)) < 



Wavelength (nm) 

FIG. 7. Spectral characterization of a dual-stage optical iso¬ 
lator. The isolator shows less than 0.36 dB insertion loss 
in the forward direction (right axis, empty squares) and more 
than 65 dB isolation in the backward direction (left axis, filled 
squares) around the central wavelength of 1550 nm. 


R{\s)) -b i?(|/)), where the vector \s) (|/)) represents the 
polarization traveling in the short (long) arm and a, b 
are complex numbers with modulo squared adding to 1. 
The traces are plotted from the entering point of Alice’s 
module, which is connector J1 in Fig. [^ However, only 
the peaks pertaining to the components included in the 
shaded region of the top diagram have to be considered 
in the estimation of R (see also dot-dashed line in Fig.[^. 

The sum of all the peaks relevant to R gives a total 
reflectivity of —42.87 dB. This value meets the require¬ 
ment R < —40 dB set in the first line of Table I. Also, the 
characterized QKD system includes an attenuator set to 
—35 dB. To match the \^\ = 170 dB condition, additional 
optical isolation of at least —60 dB is needed. Dual-stage 
isolators specifying typical isolation at this level are com¬ 
mercially available from a number of manufacturers. One 
isolator was directly tested by us and featured an abso¬ 
lute isolation larger than 65 dB in the proximity of the 
main transmission wavelength of the system, 1550 nm, as 
shown in Fig. [^ Across the S-, C- and L-Band, the iso¬ 
lation value varies, until it reaches a minimum of about 
40 dB. However, in this regime, the optical filter takes 
over and provides high optical isolation so that a typi¬ 
cal suppression of more than 80 dB is obtainable across 
the entire C-band. Because the filter is crossed twice by 
Eve’s light, this leads to more than 160 dB additional 
optical isolation to the system whenever the wavelength 
is different from 1550 nm. This demonstrates that the 
values reported in the first line of Table I are feasible 
when devices are operated in their working regime. 


V. DISCUSSION 

In the first part of the work, we derived our main result, 
i.e., the secure key rate of a QKD system in the pres- 
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ence of a THA, under reasonable assumptions (see Ap¬ 
pendix A for a summary and a discussion of the assump¬ 
tions). The result depends on Alice’s ability to limit the 
number of the incoming photons N and to reliably upper 
bound the mean number of Trojan photons /iout exiting 
from her module. However, the curves plotted in Figs. 
and 1^ are independent of N and can be applied to differ¬ 
ent QKD systems, provided that the assumptions in the 
theory are met. From the key rates, we have shown that 
a value of the mean output photon number //out ^ 10“^ 
allows to approach the situation with no THA for nearly 
any distance between the users. For distances up to 70% 
of the maximum working distance, this can be achieved 
without any additional privacy amplification. 

In Section HI, we have drawn an example of how to 
set a value on N using the thermal damage point of an 
optical fiber. The most conservative value for N is in 
the order of 10^^ photons injected every second on the 
core area of the fiber. This value has been obtained from 
the softening point of a homogeneous medium made of 
fused silica and is independent of future advancements in 
technology, provided that the composition of fused silica 
remains unchanged. A lower value for equal to 10^^ 
photons/s/aso, has been drawn from recent experiments 
on the thermal damage of real fibers, after taking into 
account the presence of inhomogeneities in the fiber and 
the qualitative behavior of the LIDT in response to the 
laser pulse width. Using this lower value, we showed 
the feasibility of our passive architecture in a practical 
scenario. We related the key rate of a QKD system to its 
clock, detection rate, reflectivity and to the properties 
of a sequence of fiber loop, filter and optical isolator, 
as depicted in Fig. In Table I, we devised various 
combinations of these components to meet the security 
condition against the THA. According to the table, most 
of the existing QKD systems can potentially be protected 
from THA’s, provided that a sufficient number of optical 
isolators are used and that the real components behave 
as expected. 

Some elements in our security argument may appear 
optimistic, for instance, the use of coherent states by Eve. 
However, we believe that our analysis is overall conser¬ 
vative. The considered LIDT threshold corresponds to 
a light power of 12.8 W from a CW laser and is larger 
than the power required to activate the fiber thermal 
fuse effect in a standard single-mode fiber. It is reason¬ 
able to think that before this large number of photons 
can melt the fiber core, some other mechanism would 
make Eve detectable. We also assumed a noise-free re¬ 
trieval of quantum states by Eve, while it is well known 
that the retrieval is physically limited by Raman and 
Rayleigh scattering. We decided not to consider the fact 
that other QKD components, already present in Alice’s 
module, could have a lower LIDT than the optical fiber. 
Einally, we ignored that monitoring detectors are already 
present in most of the QKD systems, mainly for stabiliza¬ 
tion purposes. Such devices additionally constrain Eve’s 
action and can be beneficial to improve our solution. 


VI. CONCLUSION 

In this work, we studied the security of a fiber-based 
QKD setup endowed with passive optical components 
against the long-standing Trojan-horse attack (THA). In 
the framework of Ref. [29] , we provided quantitative se¬ 
curity bounds, easily applicable in practice, against a 
general THA. With the proof method of Ref. |68|, we 
analyzed two specific examples of a THA, giving use¬ 
ful insights into the THA mechanism and the method 
employed to prove security against it (Appendix C). In 
our analysis, we focused on a particular unidirectional 
QKD setup, in which light flows from the transmitter 
to the receiver and the reverse direction is forbidden. 
This architecture is similar to that of the transmitters 
used in Ref. m to guarantee the measurement-device¬ 
independent security of the decoy-state BB84 protocol. 
Hence we expect that our results can be applied to that 
system after minor modifications. The unidirectional 
configuration allows the use of optical isolators, whose 
proper behavior has to be tested against undesired de¬ 
viations. The resulting protection measure against the 
THA is entirely passive, thus preventing the loopholes 
inherent to active, more sophisticated, countermeasures. 
We believe it will become a standard tool in all quantum- 
secured optical systems that need to guarantee the pro¬ 
tection of a private space. 
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APPENDIX 

A. Security-related assumptions 

In the main text, we considered the unidirectional, fiber- 
based, phase-modulated QKD setup depicted in Eig. 
and studied its resistance to the THA. Eor that, we have 
made a number of assumptions that we summarize in the 
following list: 

1. Alice has the ability to bound V, the number of 
Trojan photons entering her setup. She can charac¬ 
terize the components in her setup and test whether 
they behave as expected under all relevant condi¬ 
tions. 

2. Eve uses a tensor product of coherent states to exe¬ 
cute the THA. The intensity of the coherent states 
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has not to be constant, but it is advantageous for 
Eve to choose it so. 

3. Alice’s light source emits either single-photon states 
or phase-randomized coherent states that are per¬ 
fectly encoded into the states of the BB84 protocol. 
Imperfect encoding of the initial states as studied, 
e.g., in Ref. [ 68 ] is excluded. The only side-channel 
in the QKD setup is the THA against Alice’s phase 
modulator described in the main body of this work. 

4. The detection efficiency of the receiver is indepen¬ 
dent of the basis choice and the basis is randomly 
chosen by the users. 

5. The key rate is worked out in the asymptotic sce¬ 
nario, assuming that Alice and Bob have infinitely 
many signals and decoy states to generate the key. 

6 . The reflectivity measured via the OTDR experi¬ 
ment is a linear function of the input polarization. 

Without Assumption 1 , it would be impossible to prove 
security. If the quantity N cannot be bounded, there is 
no private space for the encoding of the classical informa¬ 
tion onto the quantum systems, and the quantum protec¬ 
tion is circumvented. In the main text, N was bounded 
using the LIDT of the OFL in Fig. It is natural to ask 
whether a power monitor or a watchdog detector, placed 
at the entrance of Alice’s unit to actively monitor the 
input power, can provide an alternative, better, bound 
to N. There are reasons suggesting against this option. 
Firstly, an additional detector would add extra cost and 
complexity to the setup, opening up additional potential 
loopholes. For example, it has been shown in [15] that 
a power monitor can be easily bypassed if not properly 
engineered. Secondly, we used Eq. for the LIDT, 
according to which narrow pulses of light create a larger 
damage to the optical component than continuous-wave 
light, so they are more easily detectable by the users. 
This let us draw a worst-case scenario for Eve’s laser. We 
are not aware of a similar law applicable to a power mon¬ 
itor. Finally, even if the power monitor solution worked 
fine and allowed to reduce the input photon number N by 
several orders of magnitude, it should still be compared 
to the six or more orders of magnitude guaranteed by 
the addition of a single inexpensive and nearly loss-free 
component like an optical isolator. 

As for the second part of Assumption I, if Alice can¬ 
not characterize her components, she cannot work out the 
value of the optical isolation 7 to relate N and /iout via 
Eq. The characterization should consider the phys¬ 
ical limits imposed to Eve’s laser. For example. Eve’s 
laser’s power is constrained by the LIDT of the OFL in 
Fig-ll Therefore the behaviour of the components should 
be tested up to the LIDT value of the OFL. This excludes 
hacking strategies leveraging on an unexpected behavior 
of the real components, passively or actively triggered 
by the eavesdropper. The characterization step could be 
simplified if an optical fuse with a LIDT value lower than 


the lowest tolerance threshold of the components in Al¬ 
ice’s setup were available [63] . 

Assumption 2 allows us to write the states leaving Al¬ 
ice’s apparatus as in Eq. It is possible, in princi¬ 
ple, that phase-sensitive states of light, e.g. squeezed 
states [42] , could provide Eve with more information than 
coherent states. However, as Table I shows, the value of 
the attenuation in Alice’s setup is at least 170 dB. It 
seems unlikely that the fragile squeezed state can survive 
in this lossy environment. The second part of this as¬ 
sumption descends from the convexity of the secure key 
rate as a function of /iout? which has been verified for all 
the key rates presented in this work. 

Assumption 3 is necessary to remove additional side- 
channels that could, in principle, enhance the THA, e.g., 
encoding states that are different from the ideal ones pre¬ 
scribed by the BB84 protocol. Also, it guarantees that 
the rate equations derived for the decoy-state BB84 pro¬ 
tocol hold, because Eve’s tampering with Alice’s decoy 
state estimation would represent an additional side chan¬ 
nel and would contradict the assumption. Extending the 
security argument to decoy states without making use 
of Assumption 3 could be a trivial task and a detailed 
separate study is required. However, we would like to 
speculate on this point further. 

For simplicity, we assume that the light emitted by 
Alice is phase-randomized. In some cases, this is sim¬ 
ple to guarantee, e.g., when phase-randomization is an 
intrinsic feature of the light source [36]. In other cases, 
when phase randomization is committed to a separate 
active component m, it could be more difficult to show 
that Eve cannot access this extra component with a more 
refined THA. With phase randomization on hand, the 
decoy state technique requires that the intensity of the 
emitted light is varied in a random way, known to Alice. 
This can be achieved by adding an intensity modulator 
(IM) to the setup of Fig. between the interferometer 
and the laser source. If there is no additional optical iso¬ 
lation between the IM and the interferometer, the optical 
isolation 7 that shields Alice’s PM from Eve applies to 
the IM too and the coherent state sent by Eve to probe 
the IM returns to her with an average photon number 
not larger than /iout- However, if there is a perfect opti¬ 
cal isolator between the IM and the interferometer, then 
the Trojan photons retrieved by Eve are only informative 
about Alice’s PM, whereas the IM is perfectly shielded 
from Eve. This latter case is an example of how the 
Assumption 3 can be enforced. However, because a per¬ 
fect isolation is impossible in practice, we considered how 
the key rates of the decoy-state BB84 would change if a 
single real optical isolator, guaranteeing 50 dB isolation, 
were used instead. In this case, the /iout back-reflected to 
Eve from the IM would be 5 orders of magnitude smaller 
than the one back-reflected from the PM. Applying to 
this realistic scenario an argument similar to the one de¬ 
scribed in the forthcoming Appendix C. 2 , we found key 
rates that are indistinguishable from the ones presented 
in this work. 
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Assumption 4 and 5 are related to the proof meth¬ 
ods adopted by us to draw the key rates in presence 
of a THA [29H31] |68]. There, security was proven in 
the asymptotic scenario leveraging on the fact that the 
measurement performed by the receiver is equivalent 
to a basis-independent filter followed by a two-valued 
POVM (Positive-Operator Valued Measure). In [69] it 
was shown that this assumption can be enforced if Bob’s 
single-photon detectors have equal efficiency and if their 
dark counts and efficiencies are carefully modeled. The 
detectors can be threshold detectors and in this case a 
specific value of the key bit must be assigned whenever 
both detectors click, to guarantee the basis-independence 
condition. 

Assumption 6 is necessary during the characterization 
stage to upper bound the reflectivity of the transmitter, 
as shown in Sec. [IV|A. To meet this assumption, we put 
particular care in the OTDR experiment to avoid nonlin¬ 
ear effects |70] due to a high power from the laser, which 
is the only source of light in the experiment. For that, 
the intensity of the laser was set to about 6 nW. Let us 
notice that Eve is not playing any role here, because the 
characterization of the QKD setup is accomplished in a 
protected environment. Therefore, we can safely assume 
that the reflectivity depends linearly on the polarization, 
as in ordinary Fresnel equations. 


B. Rate equations for the Trojan-horse attack: 
general case 

With the assumptions of the previous section on hand, 
let us describe the security argument in more detail. In 
the GLLP-Koashi approach 1221 ED], an entanglement- 
based description of the preparation stage is adopted. 
The states to be prepared are given in Eq. <§• We rewrite 
them here for convenience: 

\'^{) x)be = |0x)s G I + V/^out)^;, 

\'^1x)bE = |1x)b G I - A//^out)£;, 

|'0oy)s£; = |1 v)b G) | + i^/ii out) E 1 

\i^lY)BE = |0v)b G I — ^V/^out)^;- (17) 

The X basis states of Eq. ( [I7| ) can be prepared by Alice 
by measuring in the basis I lx) a} the following 

entangled state: 

1 ^^^ ^ \*^x)A\i’0x) BE + \'^x)A\i'ix) BE 
\/2 

Similarly, the Y basis states of Eq. ( [l7| ) can be prepared 
by measuring in the basis {|0y)A, |1 iTa} the state: 


In this case, we know that the secure key rate of the 
single-photon efficient BB84 protocol with data basis X 
and test basis Y would be: 


T^ideai = Qx[l - ^(ey) - fEch{ex)], (20) 


where Qx is the single-photon detection rate in the X 
basis; ey {ex) is the error rate measured from single 
photons in the Y {X) basis; /ec > I is the inefficiency 
of error correction ED. Because we are considering here 
a single-photon source, all the quantities in Eq. (20) refer 
to the single photon case. 

When the preparation is not perfect, or part of the 
basis information leaks out of the transmitting unit, the 
states |Tx) and |Ty) are different and the above key rate 
has to be replaced by the following one m- 


R = Qx[l — ^(ey) — fEch{ex)]- 


( 21 ) 


In Eq. (21), the phase error rate ey has been replaced by 


a larger error rate, e'y > ey. It was shown in |30] that 
the term e’y is an upper bound to the error rate that the 
users would find if they measured the V-basis state |Tx) 
in the basis Y. 

To find the relation between the error rates e'y and ey, 
we can imagine that Alice owns a private bidimensional 
quantum system, a “quantum coin” m, and prepares 
the following state: 


i$> = 


|0z)c|^x) + |lz)c|^y) 

V2 


( 22 ) 


where the subscript C refers to the quantum coin. The 
states in Eqs. 0 can then be prepared by Alice by first 
measuring the quantum coin in the basis {\^z)ci |lz)c} 
and then, depending on the outcome, measuring the re¬ 
sulting state |Tx) or |Ty) in the basis {| 0 x ) a , | 1 x ) a } or 
{|0y)A, lly)^}, respectively. Because Eve has no access 
to the quantum coin, she cannot distinguish this virtual 
preparation from the real preparation executed in the 
actual protocol. Therefore we are allowed to think that 
Alice prepares her initial states using the quantum coin. 
Also, she can delay her measurement until after Bob has 
measured the states received from Alice. In this scenario, 
by noting that Eve’s information about Alice’s key does 
not change if Bob measures |Tx) in the basis V, Koashi 
obtained e'y from ey using a complementarity argument, 
by applying the “Bloch sphere bound” m to the quan¬ 
tum coin [30] . 

Let us quantify the basis dependence of Alice’s states in 
terms of the quantum coin imbalance [29]. By rewriting 
Eq. ( [ 2 ^ in the X basis of the quantum coin, we find: 


1 ^^^ ^ \^y)a\'<Poy) BE + \ Y) a\'4’Iy)BE 
\/2 

If the state preparation stage was perfect, the two states 
|Tx) and |Ty) would be indistinguishable, as it can be 
verified from the above equations in the limit /iout ^ 0- 


1 ^^ ^ |0x)c(|^x) + l^y)) + lU)c(l^x) - l^y)) 

^ (23) 

To quantify the basis dependence of Alice’s states, we 
need to evaluate the probability that the two states |Tx) 
and |Ty) are different. From the above equation, it 
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amounts to the probability that Alice obtains the out¬ 
come X = —1, associated to the state \lx)c^ when she 
measures the quantum coin in the basis X. We call A 
this probability: 


A = Prob(Xc = -1) = 


1 - Re((^x|^y)) 


(24) 


Let us estimate it for the states prepared by Alice. From 
Eqs. (18) and (19) we can calculate: 


A = - [1 


■ exp( /i-out) cos (/Tout)]- 


(25) 


When /iout = 0, A = 0 and the states emitted by Alice 
are basis independent. However, when /iout > 0, A is pos¬ 
itive and the states carry some basis information out of 
Alice’s enclosure. The basis information can be exploited 
by Eve to enhance her strategy, acting on the channel 
losses, which are entirely under her control. Specifically, 
she can replace the real channel with another, loss-free, 
channel. Then she selectively stops all the states that 
are not favorable to her, until the loss rate measured by 
the users is matched. To account for this possibility, the 
users must consider the worst case where all the non- 
detected events were coming from X = 1 eigenstates of 
the quantum coin and renormalize A accordingly: 



(26) 


In Eq. d^ , y = min(3^x,3^v), with yx and yy the 
single-photon yields measured in the X and Y basis, re¬ 
spectively. Einally, using the Bloch sphere bound m 
and the effective coin imbalance A', the relation between 
the phase error rates e'y and ey is obtained as [301EB: 


e'y = ey + 4A^(1 — A^)(l — 2ey) -|- 

+ 4(1 - 2A')v/A'(l-A')ey(l-er). (27) 


When the single-photon source is replaced by a decoy- 
state source and under Assumption 3 of Appendix A, 
the resulting rate is a straightforward generalization of 
Eq. ( [^ along the lines described in [38] . Indicating with 
a tilde the quantities to be estimated via the decoy-state 
technique, we have: 


i? = gW |i-/i 


;'(1) 


- Q^x fEch[^x^]^ (28) 


where; 


s'(i) 


eF+4A'(l-A')(l-2ey) + 


+ 4(1 - 2A')^JA'{1 - A')eY{l - ey), 


A' = t 

y 

1(1) 


(29) 


In Eq. (28), is the decoy-state estimation of the 


single-photon detection rate Qx (see Eq. @) and 
is the detection rate of the signal pulse measured in 
the X basis. In Eq. (29), we conservatively defined 
y = min[3^x, with yx and yy the single-photon 
yields in the X and Y basis, respectively, estimated via 
the decoy state technique. 


C. Rate equations for two specific Trojan-horse 
attacks 

1. Trojan-horse attack with a passive use of the Trojan 
photons 


We analyze the security of the BB84 protocol against a 
different, less general, THA. This serves a twofold pur¬ 
pose: it provides un upper bound to the key rate achiev¬ 
able in presence of a THA and gives us a chance to use 
a different proof method to study the THA. 

In the specific THA of this section. Eve uses the infor¬ 
mation leaked from Alice in a passive way. She extracts 
from the quantum channel the states labelled with E in 
Eq. ( [Tt] ) and stores them in a perfect quantum mem¬ 
ory. This causes no disturbance on the quantum channel 
connecting Alice and Bob. Then, during the basis rec¬ 
onciliation stage of the BB84 protocol. Eve learns the 
basis information communicated by the users on a public 
channel. This allows her to measure the stored states in 
the same bases as the users and learn the resulting key 
bit every time the result of her measurement is conclu¬ 
sive. The conclusiveness of her results depends on the 
magnitude of the parameter /iout in the stored states. 

We analyze this situation using the loss-tolerant proof 
method described by Tamaki et al in [68]. Eor that, 
we can use the equations of the previous section until 
Eq. (21). The difference starts with the estimation of 


the phase error rate in the virtual protocol, e^, which is 
more direct than in the GLLP-Koashi approach. 

We consider a real protocol, in which Alice prepares 
the state in Eq. ( [Tt] ) and sends them to Bob (and Eve), 
and a virtual protocol, in which an entanglement-based 
view is adopted. In both cases, we assume that Bob’s 
measurement does not depend on the basis choice. This 
is guaranteed by the Assumption 4 discussed in Ap¬ 
pendix A. 

In the virtual protocol, Alice prepares the states to be 
sent to Bob by measuring her half of an entangled state. 
This is the same state as in Eq. (18), which we rewrite 


here both in the X and in the Y basis: 


i^) = 


\0x)a\‘4’Ox)bE + yx)A\‘4’lx)BE 

V2 


(30) 


l^) = 


\0y)a\4>iy)be + |ly)7i|<)>0Y) 


BE 


72 


In Eqs. ( |30| ) and (31) we have defined: 

—i|0y)B|e_)£; + |ly)B|e+)E 


\4>iy)be = 
\<I>oy)be = 

k±) = 


72 

|0y)B|e+)£; + i\lY)B\e-)E 

7 l ’ 

I \/Mout ) i I yj Mout ) 

7i ■ 


(31) 


(32) 

(33) 

(34) 


Notice that when /Ltout 0, \'tpox )be -> lOx)^^)^, 
\'^ix)be -> |1x)b|v)e, \(j>iY)BE —t \'^y)b\v)e and 
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|0oy)B£; ^ \^y)b\'^)e^ where |i;) is the vacuum state, 
thus recovering from Eqs. (30) and ([M]) two maximally 


entangled states in a two-dimensional Hilbert space ten¬ 
sor product with the vacuum state. This situation is 
secure against the THA and constitutes a reference for 
our later argument in Appendix C. 2 . However, when 
A^out > O 7 the effective Hilbert space’s dimension be¬ 
comes larger than two, favoring the THA. Note also that 
the states in Eq. (34) are orthogonal but not normal¬ 
ized, while the states in Eqs. (32) and ( [^ are nor¬ 
malized. More specifically: (e±|e±y = 1 ± exp(— 2 /iout )5 
(e±|ezp) = 0 , {(t)wY\(t>wY) = 1 , with w = { 0 , 1 }. 

Let us assume for the moment that the system E is 
not accessible either to Alice or to Eve. Under this as¬ 
sumption, the proof method in Ref. [ 68 ] applies. This 
is so for a twofold reason. Eirst, the security argument 
in [ 68 | is based on the description given in (SO] [31] , which 
allows for an enlarged dimension of Alice’s Hilbert space. 
Second, Eve cannot perform a basis-dependent selection 
of the states emitted by Alice, because the basis informa¬ 
tion is contained in the system E, which is not accessible 
to her. Therefore, as shown in [ 68 ], she cannot modify 
the transmission rates of Alice’s states using the basis 
information potentially leaked from Alice’s module. We 
notice that also in the specific THA considered here Eve 
has no chance to modify the transmission rates during 
the quantum transmission, due to the fact that Eve is 
allowed to access the system E only after the basis in¬ 
formation has been publicly disclosed by the users. 

Given that, suppose that Alice measures the ancil¬ 
lary states of |T) in the Y basis. Because the states in 
Eqs. ( j^ and ( [^ are normalized, she will obtain with 
probability 1/2 the state | 0 y) and with probability 1/2 
the state |ly), thus projecting |T) into one of the follow¬ 
ing two states, respectively: 

Pb^ = Tr£;(| 0 iy)B£;( 0 iy I) 

= C_|0y)B(0y I + C+|ly)B(lv| 

= 2 [^0 “ exp(-2/iout)^2], (35) 

Pb^ = Ti e{\(I)oy) BE {(I^oy\) 

= c+|0v)b(0v| + c-\1y)b{'^y\ 

= 2 [^0 + exp(-2/iout)^2], (36) 

where we have defined c± := {e±\e±)/2 and introduced 
the identity operator in the 2-dimensional Hilbert space 
(Jo and the Pauli matrix (J 2 = [(0, —i), (i,0)]. These op¬ 
erators are necessary to connect the T-basis states of 
the virtual protocol, Eq. (32) and (|3^, to the T-basis 


states of the real protocol, contained in the third and 
fourth line of Eq. ( [Tt] ). Because any qubit state can 
be written as a linear combination of identity and Pauli 
matrices, its transmission rate can be obtained directly 
from the Pauli matrices’ transmission rates [68]. Accord¬ 
ingly, we define the transmission rate of (j/^, k = {0, 2}, as 


Qs^ 


,|fe = Tr(Dsya-fc)/2, with Dgy = Ai an 


arbitrary operator associated to Eve’s action and Mqy 
the operator representing Bob’s POVM in the T basis 
associated to the bit value s. We can then obtain the 
transmission rates in the virtual and real protocol as com¬ 
binations of the qsY\k^' 

Let us call Py the probability that Alice and Bob both 
select the T basis. In the real protocol (superscript r), 
the joint probability Alice sends out the state 

|iy) and Bob detects IjV) (i, j = 0,1) is for each pair of 
states: 

p2 

'^0y,1y ^ y (^Oy'lO + ^ 0 y| 2 ), 

>(r) _ Py 


^IyPy ~ Y(^lr|0 + ^ly|2), 

p2 

'^Oy Py {QOyP ^ 0 ^ 12)5 

p2 

JlAv “ “ 5ly|2)- 


(37) 


The corresponding probabilities in the virtual protocol 
(superscript v) are: 


V, 


{v) 


Py 


0 ^, 11 " 2 

,2 


o 2yo 


n 


(v) 


y ,1 y ~ 2 ® 


*90y|2)i 

*9ly|2), 


TjU) _ ^ _ p 2^out ^ ^ 


-p(w) _ Py / 

' 1 y ,0 y ~ y 


-|o - e 


QIyP- 


(38) 


In order to define the phase error rate, we need to identify 
the error event in the virtual protocol. This can be done 
using Eqs. ( [Tt] ), ( |3T| , (32) in the limit pout 0- When 
there is no THA on the channel. Bob obtains the correct 
state |ly) (|0y)) when Alice measures jOy) (|ly)) on her 
ancillary states. Hence we associate an error with both 
Alice and Bob obtaining the same state, |0y) or |ly). So 
the phase error rate can be written as: 




ev — 


(U 


+ Hy, 




(v) 




(v) 

OyPy 






(39) 


Erom Eqs. (37), (38) we can rewrite the phase error rate 


in terms of the rates measured in the real protocol. The 
result is: 


1 . 


ey = ^[1 - exp(-2yUout)], 


where we have set: 


(r) 

aw = 




Ei,,= 


i,ji’={ 0 ,l} ' JyW 


V, 


(r) 


(40) 


(41) 


The secure key rate is obtained by replacing the phase 
error of Eq. (40) into Eq. 


R* = Qx [1 — h (e'y) — fsch (ex)] • 


(42) 
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FIG. 8. Asymptotic key rate R* versus distance for the single¬ 
photon efficient BB84 protocol, under a passive THA. The 
rate is plotted for various values of the parameter /Xout- Pa¬ 
rameters in the simulation are as in Fig. 
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FIG. 9. Asymptotic key rate R* versus distance for the decoy- 
state efficient BB84 protocol, under a passive THA. The rate 
is plotted for various values of the parameter flout • Parameters 
in the simulation are as in Fig. 


The key rate in Eq. (42) applies to slightly more gen¬ 


eral THA than the specific one considered in this sec¬ 
tion. It applies to all THA in which Eve cannot interact 
with the auxiliary Trojan-horse states (labelled with E in 
Eq. ( p!7[ ) ) during the transmission of the qubit states (la¬ 
belled with B in Eq. 0 ). We already noted that if Eve 
cannot access the auxiliary system E during the quantum 
transmission, she cannot selectively modify the transmis¬ 
sion rates V. Here we additionally note that even if Eve 
changed her action, described by the operators A/, ac¬ 
cording to whether she will own or not the auxiliary sys¬ 
tem E after the basis reconciliation step, she would not 
gain more information about the final key. This descends 
from Koashi’s proof method m, upon which the proof 
described in [68] is built. There, it was shown that irre¬ 
spective of who owns the auxiliary system, whether Alice 
or Eve, if the users can obtain a faithful estimation of the 
phase error rate e^, they can in principle distil a perfect 
qubit in a F eigenstate. When measured by Alice in the 
data basis X, the Y eigenstate always provides her with 
a fully random key bit, not predictable by Eve. There¬ 
fore, even if Eve tunes her choice of the operators Ai on 
the auxiliary system E, her knowledge of the final key 
does not increase. The only condition required is that 
Eve accesses the auxiliary system E after the quantum 
transmission has been completed by the users. 

To adapt the key rate in Eq. (42) to the decoy-state 
estimation technique we exploit Assumption 3 in Ap¬ 
pendix A, according to which Eve cannot use the THA 
to modify the decoy-state estimation. Then we need to 
show which quantities have to be estimated using decoy 
states. We use the tilde to explicitly indicate such quan¬ 
tities in the key rate: 


R* = gW 


1 — h 


,'(!)■ 


- Qx’fEcHe^x'’]^ ( 43 ) 


where s is the mean photon number of the signal in the 
decoy-state set, is the overall single-photon detec¬ 


tion rate in the X-basis, estimated using the decoy-state 
technique, and are, respectively, the measured 
detection and error rates for the signal in the X basis. 
Eurt her more, we have set: 




(r) 

a~^ = 


JY,IY 


y • 


-pir) 

{ 0 , 1 } ' jY,lY 


(44) 


which are a straightforward generalization of Eqs. 
and (41). 

The key rates i?* and i?* are plotted in Eigs.|^and[^ 
Both the resulting key rates show no strong dependence 
on the mean Trojan photon number /iout- The key rates 
are coincident with the ideal rate corresponding to no 
THA for all values of //out smaller than ^ 10“^, and re¬ 
mains positive up to values 0.5 (0.38) in case of a single¬ 
photon (decoy-state) source. This represents an improve¬ 
ment of several orders of magnitude over the key rates 
for a general THA presented in Sec. [HI and suggests that 
the power of a THA comes from Eve’s capability of se¬ 
lectively introducing losses in the transmission channel, 
conditional on the information gained from the THA. 
This observation motivates the study of a more involved 
THA, in which the shield system E is actively used. 


2. Trojan-horse attack with active unambiguous state 
discrimination of the Trojan photons 

We consider a particular THA in which Eve can access 
the ancillary system E, generated by the THA, during 
the quantum transmission, i.e., before the bases are re¬ 
vealed by the users. However, she can only measure it 
using a specific measurement described later on. This is 
more powerful than the THA considered in the previous 
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section, but less powerful than the most general THA 
discussed in Sec. [HI and Appendix B. 

In this THA, Eve accesses the space E of the Tro¬ 
jan photons during the quantum transmission stage. She 
then uses Unambiguous State Discrimination (USD) [73] 
to distinguish | + E from | — ^/iout) E- These states 

correspond to Alice’s states in the data basis (X), as per 
Eq. ( [T7| ). Therefore, whenever the USD succeeds. Eve 
knows the key bit without measuring, and hence per¬ 
turbing, Alice’s qubit. 

However the USD measurement not always provides 
Eve with a conclusive result and Eve’s strategy can be 
improved as follows. When the result is conclusive. 
Eve transmits Alice’s pulse to Bob without modification; 
when it is inconclusive. Eve stops Alice’s pulse and in¬ 
troduces a loss in the communication channel. Later on, 
during the basis reconciliation step. Eve will learn the 
bases chosen by Alice and Bob. After discarding the out¬ 
comes of the USD performed on Alice’s F-basis states. 
Eve will be left, ideally, with the same key bits as the 
users, distilled from the X basis, without having caused 
any noise on the communication channel. 

Let us add more details to this scenario. When Alice 
prepares a F-basis state. Eve’s retrieved Trojan pulse is 
in a state | ± i-\/TXut)E’ This state cannot help Eve de¬ 
ciding between the two outcomes related to the X basis, 
because it is equally likely to be projected on either of the 
two X basis states | ±-\//iout)£; • Therefore, Eve’s decision 
to retain or transmit Alice’s state is not related to an in¬ 
creased information gained by Eve and does not require 
an increase of the privacy amplification performed by the 
users. On the contrary, when Alice prepares a X-basis 
state. Eve can modify the transmission rates in a way 
that affects the security of the system. In a worst-case 
scenario, we then assume that all the counts detected by 
Bob come from the X basis and from a conclusive out¬ 
come of Eve’s USD measurement. 

Let us call Pcon and pinc = I — Peon the probabilities 
of a conclusive and inconclusive outcome, respectively, 
from the USD of X-basis states. A lower bound to pinc 
is given by the Ivanovic-Dieks-Peres bound 173H75]; 


Pine ^ I (\/Pout I \/Pout) I 

= exp(-2pout)- (45) 

Then, according to the above-described THA, the frac¬ 
tion of detected events in the X basis that have been 
transmitted conditional on a conclusive result by Eve is 
at most: 


^ / 1 - Pine ^ 1 - exp(-2//out) 

‘-^r- —y—' 

with y := min[Fx 5 3^y] and Fjv (3^v) fhe single-photon 
yield in the X (F) basis. The fraction S (respectively 
I—(5) contains insecure (secure) bits distilled by the users, 
because they come from Eve’s conclusive (inconclusive) 
measurement. When the USD is inconclusive. Eve can¬ 
not modify selectively Alice’s pulses using the system E. 
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FIG. 10. Asymptotic key rate R** versus distance for the 
single-photon efficient BB84 protocol, under a THA with un¬ 
ambiguous state discrimination by Eve. The rate is plotted 
for various values of the parameter pout- Parameters in the 
simulation are as in Fig. 
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FIG. II. Asymptotic key rate R** versus distance for the 
decoy-state efficient BB84 protocol, under a THA with un¬ 
ambiguous state discrimination by Eve. The rate is plotted 
for various values of the parameter pout- Parameters in the 
simulation are as in Fig. 


Therefore, following the same reasoning as in the previ¬ 
ous section, we can apply the proof of Ref. [68] to this 
fraction of pulses to estimate the key rate. 

In the present THA, whenever the USD provides a con¬ 
clusive outcome. Eve forwards Alice’s pulse to Bob with¬ 
out perturbing it. Therefore only a fraction I — ^ of the 
counts provide a faithful estimation of the error rate. Af¬ 
ter bounding the phase error rate as ey/(I — we can 
follow similar steps as in Ref. [29] to show that secure 
key bits can be extracted from the single-photon efficient 
BB84 protocol in presence of the here-described THA at 
a rate: 


R** = QxU^-^) 


1-h 


I-^> 


^ - fEch{ex)^ • 


(47) 

Eqs. (|46|) and (|47|) can be easily generalized to the case of 
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a decoy-state source under Assumption 3 of Appendix A: 


R** = qW(i -5(1)) 


-(1) ^ 1 - exp(-2/Xout) 

5;(i) 


3 '( 1 ) 


1-h 


l-(5(i) 


■ Q^x^fEchie^x'’] 


(48) 


with = min[3^3^\ J’y ]. In Eq. (48), the tilde indi¬ 


cates quantities to be estimated via the decoy state tech¬ 


nique. 


Q'i' 


and are the same as in Eq. (|43|). The 


expression of the phase error rate is the 


same as m 


Eq. (44), because it is estimated in the Y basis which, in 


this specific THA, does not allow Eve to selectively mod¬ 
ify the transmission rate conditional on her information 
on Alice’s state. 


The key rates in Eqs. ( [47[ ) and ( [4^ are plotted in 
Eigs. and [m respectively. Despite they are better 
than the key rates in Eigs. [^and[^ drawn for the most 
general THA from the GLLP proof method [29], there 
is no wide gap between the two situations. This sug¬ 
gests that the particular THA described here catches the 
main features of the general attack described in Sec. |TI| 
It also suggests that the real-time use of the auxiliary 
system E is the main source of troubles in a THA. This 
seems to be particularly detrimental in the framework of 
Ref. [68], which heavily relies on Eve’s inability to change 
the transmission rates of the states emitted by Alice. 

It would be interesting to extend the proof method of 
Ref. [68] to more general Trojan-horse attacks than the 
one described in this section. However, such a general¬ 
ization is not straightforward and a separate analysis is 
required Hg. 
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